snapd

  1. Bug #1910298
  2. Comment #10

Comment 10 for bug 1910298

Revision history for this message
Ian Johnson (anonymouse67) wrote : Re: .cache and .config directories in ~/snap/ should be o0700

Hi folks, we just discussed this on the snapd team, and we think that:

1. snapd should make ~/snap 0700 - this will protect against all such ~/snap/<snap-name>/current/.{cache,config,local} etc directories leaking information
2. There is an open question about when snapd should make this change

If it's agreed that instead of snapd making ~/snap 0700, snapd should just make all ~/snap/<snap-name>/{current,common}/.something directories 0700, then there's a question of when this change should be made, because I think we need to assume that vulnerable snaps will continue to be available in the store for a long time, and so we need to make sure that folks who install those snaps newly after disclosure do not suffer from the information leak.

Also, I strongly think this should get a CVE, who from the security team is coordinating this?